CVE-2026-40263
Received Received - Intake
Username Enumeration via Timing Attack in Note Mark Login

Publication date: 2026-04-17

Last updated on: 2026-04-17

Assigner: GitHub, Inc.

Description
Note Mark is an open-source note-taking application. In versions 0.19.1 and prior, the login endpoint performs bcrypt password verification only when the supplied username exists, returning immediately for nonexistent usernames. This timing discrepancy allows unauthenticated attackers to enumerate valid usernames by measuring response times, enabling targeted credential attacks. This issue has been fixed in version 0.19.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-17
Last Modified
2026-04-17
Generated
2026-06-16
AI Q&A
2026-04-17
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40263
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
note_mark note_mark to 0.19.2 (exc)
note_mark note_mark 0.19.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-208 Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Note Mark, an open-source note-taking application, in versions 0.19.1 and earlier. The login endpoint only performs bcrypt password verification if the username exists. If the username does not exist, the system returns immediately without performing the verification. This difference in response time allows an attacker who is not authenticated to determine which usernames are valid by measuring how long the system takes to respond.

By exploiting this timing discrepancy, attackers can enumerate valid usernames, which can then be used to launch targeted credential attacks.

Impact Analysis

The vulnerability allows attackers to discover valid usernames on the Note Mark application by measuring response times during login attempts.

Once attackers know valid usernames, they can focus their efforts on those accounts, increasing the risk of successful credential-based attacks such as password guessing or brute force attacks.

Although the CVSS score is relatively low (3.7), the information disclosure can facilitate further attacks that may compromise user accounts.

Mitigation Strategies

To mitigate this vulnerability, upgrade Note Mark to version 0.19.2 or later, where the timing discrepancy in the login endpoint has been fixed.

Compliance Impact

The vulnerability allows unauthenticated attackers to enumerate valid usernames by measuring response times during login attempts. This could potentially facilitate targeted credential attacks.

However, there is no specific information provided about how this vulnerability impacts compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by measuring the response times of the login endpoint when submitting login attempts with different usernames. Specifically, an attacker can send login requests with both existing and non-existing usernames and observe the timing differences in the server's responses.

To detect this on your system, you can use command-line tools like curl combined with time measurement utilities to compare response times for valid and invalid usernames.

  • Use curl to send login requests and measure response time, for example: time curl -X POST -d 'username=validuser&password=any' https://your-note-mark-instance/login
  • Repeat the above command with a non-existent username and compare the response times.
  • If the response time for valid usernames is consistently longer than for invalid ones, this indicates the presence of the timing discrepancy vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40263. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart